1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Software
  5. M-MLS
  6. User manual

Access Control Table - Avaya M-MLS User Manual

Avaya m-mls routing software: user guide
Hide thumbs Also See for M-MLS:
Table of Contents

Advertisement

Chapter 4

Access Control Table

The device provides sophisticated hardware-based access control packet
filtering of forwarded IP traffic. The user can specify whether to forward,
block, or block and report packets of specific types by configuration of
access control statements. IP access control statements can specify source
and destination IP address ranges, as well as the application type.
The IP address ranges are defined by an IP address and mask (wild-card),
and can specify a single IP station, a subnet or net, or all IP stations. An
example of a simple access control statement would be that IP stations of
the net 150.5.0.0 can not communicate to station 193.1.1.1. More
advanced access control statements can specify the protocol above IP (e.g.
TCP, UDP) and specific applications (UDP/TCP port numbers), e.g. HTTP
or Telnet. The device will check the TCP/UDP destination port against
configured applications.
The access control filtering rules can be asymmetric, allowing certain
traffic in one direction while blocking the same application in the opposite
direction, based on which side initiates the session. In order to allow a
certain application, when the default is block, the access control
statements must explicitly allow for both the packets in one direction (e.g.
requests) and the packets in the other direction (e.g. replies).
Packets in the first direction usually have the application's well-known
port number in the TCP destination port, but the replies usually use
dynamic port numbers in the destination port. For that purpose, all
replies can be allowed in that direction by configuring an access control
statement in the device with port number >1023. This statement means
"forward all the packets, from these source addresses to those destination
addresses, whose destination port number is above 1023". When the TCP
port >1023, the device will also check that the TCP ACK bit is set. This
additional check protects against attacks via protocols using high-number
ports, by guaranteeing that the packet is not an initiation of a new session
- the packet is part of an established session that was previously initiated
from the other direction and allowed by the device.
44
Avaya M-MLS Routing Manager User Guide

Advertisement

Table of Contents
loading

Related Manuals for Avaya M-MLS

Related Content for Avaya M-MLS

This manual is also suitable for:

M-mls routing manager

Table of Contents